Understanding /var/account/pacct OR /var/account/acct – Acct File Format

Author: Vivek Gite Last updated: June 27, 2008 1 comment

Q. Can you explain /var/account/pacct or /var/log/account/pacct file under Linux / UNIX operating systems?

A. A acct file (/var/account/acct or /var/account/pacct) format is common in UNIX / Linux / BSD operating systems. The kernel will start the process accounting and stores in /var/account/pacct or /var/log/account/pacct file which the system wide unix process accounting or unix accounting file for UNIX / Linux like operating systems. The location and name of the file depends upon UNIX / Linux variant:

  • FreeBSD / OpenBSD default accounting file: /var/account/acct
  • Red Hat / RHEL / CentOS / Fedora Linux : /var/account/pacct
  • Debian / Ubuntu Linux : /var/log/account/pacct
  • Sun Solaris UNIX default accounting file : /var/adm/pacct

accton command

The accton utility is used for switching system accounting on or off. If called with the argument acctfile, system accounting is enabled. The acctfile specified must exist prior to starting system accounting, or accton will return an error. You can run accton as follows:
# accton /path/to/file
# accton /var/account/acct
Under Red Hat / CentOS Linux, you can enter following command to start accounting service:
# chkconfig psacct on
# /etc/init.d/psacct
Under Ubuntu / Debian Linux, you need to enter following command to start accounting service:
# update-rc.d acct defaults
/etc/init.d/acct start

acct file format

The kernel maintains the following acct information structure for all processes. If a process terminates, and accounting is enabled, the kernel calls the acct(2) function call to prepare and append the record to the accounting file.

#define AC_COMM_LEN 16
 
     /*
      * Accounting structure version 2 (current).
      * The first byte is always zero.
      * Time units are microseconds.
      */
 
     struct acctv2 {
             uint8_t  ac_zero;               /* zero identifies new version */
             uint8_t  ac_version;            /* record version number */
             uint16_t ac_len;                /* record length */
 
             char      ac_comm[AC_COMM_LEN]; /* command name */
             float     ac_utime;             /* user time */
             float     ac_stime;             /* system time */
             float     ac_etime;             /* elapsed time */
             time_t    ac_btime;             /* starting time */
             uid_t     ac_uid;               /* user id */
             gid_t     ac_gid;               /* group id */
             float     ac_mem;               /* average memory usage */
             float     ac_io;                /* count of IO blocks */
             __dev_t   ac_tty;               /* controlling tty */
 
             uint16_t ac_len2;               /* record length */
             union {
                     __dev_t   ac_align;     /* force v1 compatible alignment */
 
     #define AFORK   0x01                    /* forked but not exec'ed */
     /* ASU is no longer supported */
     #define ASU     0x02                    /* used super-user permissions */
     #define ACOMPAT 0x04                    /* used compatibility mode */
     #define ACORE   0x08                    /* dumped core */
     #define AXSIG   0x10                    /* killed by a signal */
     #define ANVER   0x20                    /* new record version */
 
                     uint8_t  ac_flag;       /* accounting flags */
             } ac_trailer;
 
     #define ac_flagx ac_trailer.ac_flag
     };

If a terminated process was created by an execve(2), the name of the executed file (at most ten characters of it) is saved in the field ac_comm and its status is saved by setting one of more of the following flags in ac_flag: AFORK, ACOMPAT, ACORE and ASIG. ASU is no longer supported. ANVER is always set in the above structure.

How do I use acct file?

You need to use acct file using lastcomm or sa command. Please see following article for practial usage of acct file:

Recommended readings:

Refer to man pages and acct.h header file:
man 5 acct
man 1 lastcomm
man 2 acct
man 2 execve
man 8 sa
man 1 accton
vi /usr/include/linux/acct.h
vi /usr/include/sys/acct.h


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 1 comment so far... add one


Related Tutorials
CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
1 comment… add one
  • waseem Feb 1, 2017 @ 4:37

    is there a way to get time with sa -c command. sa -c command give percentages.
    i want to know can i get daily or hourly percentages by this command.

    Reply Link

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum

Next FAQ:

Previous FAQ:

FEATURED ARTICLES

Sign up for my newsletter